This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
o365audit input to retrieve audit messages from Office 365
and Azure AD activity logs. These are the same logs that are available under
Audit log search in the Security and Compliance center.
A single input instance can be used to fetch events for multiple tenants as long as a single application is configured to access all tenants. Certificate-based authentication is recommended in this scenario.
This input doesn’t perform any transformation on the incoming messages, notably no Elastic Common Schema fields are populated, and some data is encoded as arrays of objects, which are difficult to query in Elasticsearch. You probably want to use the Office 365 module instead.
filebeat.inputs: - type: o365audit application_id: my-application-id tenant_id: my-tenant-id client_secret: my-client-secret
Multi-tenancy and certificate-based authentication is also supported:
filebeat.inputs: - type: o365audit application_id: my-application-id tenant_id: - tenant-id-A - tenant-id-B - tenant-id-C certificate: /path/to/cert.pem key: /path/to/private.pem # key_passphrase: "my key's password"
o365audit input supports the following configuration options plus the
Common options described later.
The Application ID (also known as Client ID) of the Azure application to authenticate as.
The tenant ID (also known as Directory ID) whose data is to be fetched. It’s also possible to specify a list of tenants IDs to fetch data from more than one tenant.
List of content types to fetch. The default is to fetch all known content types:
The client secret used for authentication.
Path to the public certificate file used for certificate-based authentication.
Path to the certificate’s private key file for certificate-based authentication.
Passphrase used to decrypt the private key.
The authentication endpoint used to authorize the Azure app. This is
https://login.microsoftonline.com/ by default, and can be changed to access
The API resource to retrieve information from. This is
https://manage.office.com by default, and can be changed to access alternative
The maximum data retention period to support.
168h by default. Filebeat
will fetch all retained data for a tenant when run for the first time.
The interval to wait before polling the API server for new events. Default
The maximum number of requests to perform per minute, for each tenant. The
2000, as this is the server-side limit per tenant.
The maximum time window that API allows in a single query. Defaults to
to match Microsoft’s documented limit.
Controls whether the original o365 audit object will be kept in
or not. Defaults to
The following configuration options are supported by all inputs.
enabled option to enable and disable inputs. By default, enabled is
set to true.
A list of tags that Filebeat includes in the
tags field of each published
event. Tags make it easy to select specific events in Kibana or apply
conditional filtering in Logstash. These tags will be appended to the list of
tags specified in the general configuration.
filebeat.inputs: - type: o365audit . . . tags: ["json"]
Optional fields that you can specify to add additional information to the
output. For example, you might add fields that you can use for filtering log
data. Fields can be scalar values, arrays, dictionaries, or any nested
combination of these. By default, the fields that you specify here will be
grouped under a
fields sub-dictionary in the output document. To store the
custom fields as top-level fields, set the
fields_under_root option to true.
If a duplicate field is declared in the general configuration, then its value
will be overwritten by the value declared here.
filebeat.inputs: - type: o365audit . . . fields: app_id: query_engine_12
If this option is set to true, the custom
fields are stored as top-level fields in
the output document instead of being grouped under a
fields sub-dictionary. If
the custom field names conflict with other field names added by Filebeat,
then the custom fields overwrite the other fields.
A list of processors to apply to the input data.
See Processors for information about specifying processors in your config.
The ingest pipeline ID to set for the events generated by this input.
The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
If this option is set to true, fields with
null values will be published in
the output document. By default,
keep_null is set to
If present, this formatted string overrides the index for events from this input
(for elasticsearch outputs), or sets the
raw_index field of the event’s
metadata (for other outputs). This string can only refer to the agent name and
version and the event timestamp; for access to dynamic fields, use
output.elasticsearch.index or a processor.
By default, all events contain
host.name. This option can be set to
disable the addition of this field to all events. The default value is